Is That Personal-Finance App Secure?

Most online personal-finance applications, which we covered in a Weekend Investor cover story last Saturday, come with an important caveat: Almost universally, in order to use them, you’ll have to turn over user names and passwords to your bank, investment or credit-card accounts.

That’s a nightmare for privacy advocates. Just a couple weeks ago, professional networking company LinkedIn disclosed that hackers had retrieved more than 6 million passwords (without corresponding user names) and decoded at least a portion of them.

And while much of the data you give to LinkedIn is meant to be public, the information you have in your financial accounts is anything but, notes Paul Stephens, director of policy and advocacy for the Privacy Rights Clearinghouse.

The sites all say that they have bank-level security protecting user’s info, but it’s worth considering what the costs of a breach would be.

For one, most of the services themselves are “read only.” SigFig, for example, aggregates investment accounts into one place. If, say, a hacker got hold of your SigFig user name and password, he or she would be able to see your financial history but not actually move money around.

Even if they hacked the servers containing your bank user name and password and somehow decoded them, in many cases, banks force users from unknown computers to answer additional security questions or enter a temporary PIN sent to a cellphone or email account.

Financial damage aside, the greatest risk for users might be loss of privacy if a personal-finance app accidentally leaked user spending information or someone got hold of a user’s log-in information, says Jason Owens, a security expert who words for CDW, a technology seller and consultant.

There’s some precedent for such mistakes. Rudder, which aggregated users’ accounts and emailed them a regular financial report, in 2009 accidentally sent financial information on more than 700 clients to other users. It shut down in 2010.

An enterprising identity thief could use spending and account info gleaned from a personal-finance aggregator to trick the user or others into revealing even more sensitive account information, says Owens.

In the end, it’s up to a user to decide if those concerns outweigh the benefits they get from the service. “I don’t know if there’s one right or wrong answer,” says Owens. “It’s risk versus reward.”